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-- The MAILING DATE of this communication appears on the cover sheet with the correspondence address 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION, 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 

- Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )S Responsive to comnnunication(s) filed on 30 December 2002 . 
2a)[3 This action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under £x parte Quay/e, 1935 CD. 11,453 O.G.213. 
Disposition of Claims 

4) ^ Claim(s) 1-18 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) ^ Claim(s) 1-18 is/are rejected. 

Ctaim(s) is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) 0 The drawing(s) filed on is/are: a)n accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawlng(s) be held in abeyance. See 37 CFR 1 .85(a). 

11) 0 The proposed drawing correction filed on Is: a)n approved b)n disapproved by the Examiner. 

If approved, corrected drawings are required in reply to this Office action. 

12) n The oath or declaration is objected to by the Examiner. 
Priority under 35 U.S.C. §§ 119 and 120 

1 3) 0 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (f). 

a)nAII b)n Some*c)n None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

14) 0 Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 1 19(e) (to a provisional application). 

a) □ The translation of the foreign language provisional application has been received. 

15) n Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121 . 
Attachment(s) 

1 ) S Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-41 3) Paper No(s). . 

2) CD Notice of Draftsperson's Patent Drawing Review (PTO-948) 5) □ Notice of Infomnal Patent Application (PTO-152) 

3) D Infomnation Disclosure Statement(s) (PTO-1449) Paper No(s) . 6) D Other: 

U.S. Patent and Trademark Office ~ ~ 

PTO-326 (Rev. 04-01 ) Office Action Summary Part of Paper No. 8 
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DETAILED ACTION 

1. The following is a Final Office Action in response to communications received 12/30/02. 
Claims 1,10, and 14 have been amended. Claims 1-18 are pending. 

Response to Amendment 

2. Applicant's amendment to claim 10 is sufficient to overcome the claim objection set forth 
in the previous office action. 

Response to Arguments 

3. Applicant's arguments with regard to the § 102 and § 103 rejections based on Weinstock 
et al. (U.S. 6,223,143) have been fully considered but they are not persuasive. In the remarks, 
the Applicant argues (1) that unlike the teachings of Weinstock et al, the control procedures of 
the Applicant's invention are associated with specific risks (or subrisks) and are procedures that 
are deemed as a means to mitigate risk, as disclosed in the Applicant's specification, (2) that 
Weinstock et al. does not teach or suggest identifying control procedures to address the failure 
modes of the event sequence charts or compliance ratings for such control procedures, and (3) 
that the event sequence charts of Weinstock et al. are intended to identify failure scenarios rather 
than address control procedures as in the Applicant's invention. 

In response to appHcant's argument (1) that unlike the teachings of Weinstock et al., the 
control procedures of the Applicant's invention are associated with specific risks (or subrisks) 
and are procedures that are deemed as a means to mitigate risk, as disclosed in the Applicant's 
specification (i.e. the references fail to show certain features of applicant's invention), it is noted 
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that the features upon which appUcant are not recited in the rejected claims. Although the claims 
are interpreted in Hght of the specification, limitations from the specification are not read into the 
claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Examiner 
points out that the claims 1,10, and 14 specificially recite "identifying one or more control 
procedures associated with each said risk (subrisk) element", "assigning a weight to each said 
control procedure", and "identifying a compliance rating for each said control procedure", and 
do not include this specificity with regards to the terms "control procedure(s)" or "compHance 
rating". Therefore, these limitations have been reasonably read as identifying one or more 
ordered set of events for each risk/subrisk, assigning a weight to each of the identified ordered 
set of events, and identifying a rating of how much the ordered set of events acts in accordance 
with expectations. Examiner further point out that Weinstock et al. does teach and suggest these 
limitation by identifying a risk, creating an outline of the events that occur in producing the risk, 
assigning a weight to this outline, and then identifying a rating by quantifying/assessing the 
ordered set of events to obtain a score indicating the probabiUty of the events complying with an 
expected outcome, as stated in at least figures 1, 3 5 A, 7, 10, and at least column 8, lines 5-10, 
29-34, 45-67, column 9, lines 30-36, column 11, lines 49-67, and column 12, lines 8-17, 23-42, 
and 47-65, column 13, lines 42-59, and column 14, lines 1-5, column 22, lines 23-29, and 
column 23, lines 1-18. 

In response to Applicant's argument (2) that Weinstock et al. does not teach or suggest 
identifying control procedures to address the failure modes of the event sequence charts or 
compliance ratings for such control procedures. Examiner respectfully disagrees and again points 
out that claims 1, 10, and 14 do not include this specificity with regards to the terms "control 



Application/Control Number: 09/545,38 1 Page 4 

Art Unit: 3623 

procedure(s)" or "compliance rating". Therefore, these terms have been reasonably read as an 
ordered set of events for each and a rating showing of how much the ordered set of events acts in 
accordance with expectations. Examiner asserts that Weinstock et al. does teach and suggest 
identifying control procedures in at least column 8, lines 5-10, 29-34, 45-48, and 53-55, column 
13, hnes 42-59, and column 14, lines 1-5, and identifying compliance ratings in for the control 
procedures in at least column 8, lines 45-67, column 9, lines 30-36, column 12, lines 23-42, 
colunrn 22, lines 23-29, and column 23, lines 1-18. Examiner also assets that event sequence 
charts are visual representations of the events of a control procedure. 

hi response to Apphcant's argument (3) that the event sequence charts of Weinstock et al. 
are intended to identify failure scenarios rather than address control procedures as in the 
Applicant's invention, Examiner respectfully disagrees and further asserts that the event 
sequence diagrams identify the ordered sequence of events of a project that may result in a risk 
occurrence, and therefore identify the procedures controlling the risk element, as stated in at least 
figures 1, 3 5A, 7, 10, and at least column 7, lines 59-67, column 8, lines 1-10, 29-34, 45-67, 
column 9, lines 30-36, column 11, lines 49-67, and column 12, lines 8-17, 23-42, and 47-65, 
column 13, lines 42-59, and colunrn 14, lines 1-5, colunrn 17, lines 25-40, column 22, lines 23- 
29, and colunrn 23, lines 1-18. Since the limitations of the claims broadly recite "identifying one 
or more control procedures associated with each said risk (subrisk) element", Weinstock et al. 
does teach and disclose this limitation. 
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Claim Rejections - 35 USC § 102 



4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the United 
States before the invention thereof by the applicant for patent, or on an international application by another who 
has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention 
thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 1999 
(AEPA) do not apply to the examination of this application as the application being examined 
was not (1) filed on or after November 29, 2000, or (2) voluntarily published under 35 U.S.C. 
122(b). Therefore, this appUcation is examined under 35 U.S.C. 102(e) prior to the amendment 
by the AIPA (pre-AIPA 35 U.S.C. 102(e)). 

Claims 1-3 and 6-18 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Weinstock et al. (U.S. 6,223,143). 

5. As per claim 1, Weinstock et al. teaches a method of managing risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in a database 
coupled to said computer (See at least column 1, lines 14-16, column 2, lines 65-67, 
column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, lines 35-55, column 7, 
lines 45-50 and 59-67, and coliunn 8, lines 1-18, which disclose identifying a set of risk 
elements, said risk elements being stored in a database coupled to said computer); 

b. identifying one or more control procedures associated with each said risk element, 
said control procedures being stored in said database (See at least column 8, lines 5-10, 
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29-34, 45-48, and 53-55, column 13, lines 42-59, and column 14, lines 1-5, which discuss 
identifying one or more control procedures associated with each risk element, these 
control procedures being stored in the database); 

c. assigning a weight to each said control procedure (See column 8, lines 46-52, 
column 9, lines 30-36, column 11, lines 49-67, and column 12, lines 8-17 and 47-65, 
which disclose assigning a weight to each of said control procedures); 

d. identifying a compliance rating for each said control procedure (See column 8, 
lines 45-67, column 9, lines 30-36, column 12, lines 23-42, column 22, lines 23-29, and 
column 23, lines 1-18, which discloses determining a compHance rating for each control 
procedure); and 

e. calculating a compliance score, each compliance score being a function of said 
assigned weights and said compliance rating of said control procedures (See at least 
column 8, lines 55-64, column 22, lines 23-29, and colunrn 23, lines 1-5, which discuss 
calculating a compliance score, this score being a function of said assigned weights and 
said compliance rating of said control procedures). 

6. As per claim 2, Weinstock et al. teaches a method wherein said compliance ratings 
comprise at least one rating identifying a non-fuUy compliant control procedure, said method 
further comprising the steps of: 

a. for each said control procedure having a non- fully compliant rating, receiving a 
signal indicating whether said non- fully compliant control procedure is accepted or not 
accepted (See column 8, lines 55-64, column 9, lines 1-5 and 5-24, and column 22, lines 
23-37, which discuss for each control procedure not having a fully compliant rating, 
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receiving a signal indicating whether the control procedure is accepted or not accepted); 
and 

b. for each of said non-fuUy compliant control procedure which is indicated as not 
accepted, generating an action plan (See column 9, lines 12-24, which discusses for each 
non-fuUy compliant control procedure generating an action plan). 

7. As per claim 3, Weinstock et al. teaches a method wherein said action plan includes a 
target date, said method further comprising the step of calculating an expected compliance score 
for one or more future dates based on said action plan target dates (See column 3, lines 34-37, 
column 9, lines 12-24, column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 8-24, column 
13, lines 5-22, column 14, lines 22-47, and column 22, lines 23-39 and 63-65, which discuss the 
action plan, this action plan having target dates/times, and an expected compliance score is 
calculated using these target dates/times). 

8. As per claim 6, Weinstock et al. teaches a method further comprising the step of 
associating one or more parameters with each said compliance rating (See column 8, lines 45-67, 
column 9, lines 12-24, and column 16, lines 48-53, which discuss associating one or more 
parameters with each compliance rating). 

9. As per claim 7, Weinstock et al. teaches a method wherein said one or more parameters 
are selected from the group comprising organization, business line, process, and region (See at 
least column 8, lines 45-67, column 9, lines 6-1 1 and 12-24, column 16, lines 48-53, column 17, 
lines 25-40, and column 25, lines 16-25, which disclose process parameters). 

10. As per claim 8, Weinstock et al. teaches a method further comprising the step of sorting 
said compliance scores by said one or more parameters (See at least column 9, lines 6-11, 
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column 17, lines 25-40, and column 25, lines 16-25, which disclose sorting the compliance 
scores by one or more parameters). 

11. As per claim 9, Weinstock et al. discloses a method further comprising the step of 
displaying said sorted comphance scores (See column 9, lines 6-11, and figure 5 A, which 
disclose displaying the sorted compliance scores). 

12. As per claim 10, Weinstock et al. teaches a method of managing risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in a database 
coupled to said computer (See at least column 1, lines 14-16, column 2, lines 65-67, 
column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, lines 35-55, column 7, 
lines 45-50 and 59-67, and column 8, lines 1-18, which disclose identifying a set of risk 
elements, said risk elements being stored in a database coupled to said computer); 

b. identifying one or more subrisk elements associated with each said risk elements, 
each subrisk element being stored in said database (See at least column 1, lines 14-16, 
column 2, lines 65-67, column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, 
lines 35-55, column 7, lines 45-50 and 59-67, column 8, lines 1-18, 29-34, 45-48, and 53- 
55, column 13, lines 42-59, and column 14, lines 1-5, which disclose identifying one or 
more subrisk element associated with the risk elements, this identified subrisks being 
stored in a database); 

c. identifying one or more control procedures associated with each said subrisk 
element, said control procedures being stored in said database (See at least colunrn 8, 
lines 5-10, 29-34, 45-48, and 53-55, column 13, lines 42-59, and column 14, lines 1-5, 
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which discuss identifying one or more control procedures associated with each risk 
element, these control procedures being stored in the database); 

d. assigning a weight to each said control procedure (See column 8, lines 46-52, 
column 9, lines 30-36, coluirm 11, lines 49-67, and colunrn 12, lines 8-17 and 47-65, 
which disclose assigning a weight to each of said control procedures); 

e. identifying a compliance rating for each said control procedure, said compliance 
ratings including a plurality of categories including at least one category indicating said 
control procedure is not fully compliant (See column 8, lines 45-67, column 9, lines 30- 
36, column 12, lines 23-42, colunrn 22, lines 23-29, and column 23, lines 1-18, which 
discloses determining a compliance rating for each control procedure, the compliance 
rating having a plurality of categories including categories indicating the control 
procedure is not fully compliant); 

f. calculating a compliance score, said compliance score being a function of said 
assigned weights and said compliance rating of said control procedures (See at least 
column 8, lines 55-64, column 22, lines 23-29, and column 23, lines 1-5, which discuss 
calculating a compliance score, this score being a function of said assigned weights and 
said compliance rating of said control procedures); 

g. for each subrisk, determining whether at least one control procedure associated 
with said subrisk is not fully compHant (See column 8, lines 55-64, column 9, lines 1-5 
and 5-24, and column 22, lines 23-37, which discuss at least one control procedure not 
having a fully compliant rating); 
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for each subrisk associated with at least one control procedure which is not fully 



compliant, receiving a signal indicating whether said subrisk should be accepted or not 
accepted (See column 8, lines 55-64, column 9, lines 1-5 and 5-24, and column 22, lines 
23-37, which discuss for each control procedure not having a fully compliant rating, 
receiving a signal indicating whether the control procedure is accepted or not accepted); 
and 

i. for each subrisk which is indicated as not accepted, generating an action plan (See 
column 9, lines 12-24, which discusses for each non-fuUy compliant control procedure 
generating an action plan). 

13. As per claim 1 1, Weinstock et al. teaches a method wherein said action plan further 
includes a target date, said method further comprising the step of calculating a future compliance 
score based on said action plan target dates (See column 3, lines 34-37, column 9, lines 12-24, 
column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 8-24, column 13, lines 5-22, column 

14, lines 22-47, and column 22, lines 23-39 and 63-65, which discuss the action plan, this action 
plan having target dates/times, and an expected compliance score is calculated using these target 
dates/times). 

14. As per claim 12, Weinstock et al. teaches a method further comprising the step of 
associating one or more parameters with each said comphance rating (See column 8, lines 45-67, 
column 9, lines 12-24, and column 16, lines 48-53, which discuss associating one or more 
parameters with each compliance rating). 

15. As per claim 13, Weinstock et al. teaches a method further comprising the step of sorting 
said comphance ratings and displaying said sorted ratings (See at least column 9, lines 6-11, 
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column 17, lines 25-40, and column 25, lines 16-25, which disclose sorting the compliance 
scores by one or more parameters. See column 9, lines 6-11, and figure 5 A, which disclose 
displaying the sorted compliance scores). 

16. As per claim 14, Weinstock et al. teaches a method of forecasting risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in a database 
coupled to said computer (See at least column 1, lines 14-16, column 2, lines 65-67, 
colunm 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, lines 35-55, column 7, 
lines 45-50 and 59-67, and column 8, lines 1-18, which disclose identifying a set of risk 
elements, said risk elements being stored in a database coupled to said computer); 

b. identifying one or more control procedures associated with each said risk element, 
said control procedures being stored in said database (See at least column 8, lines 5-10, 
29-34, 45-48, and 53-55, column 13, lines 42-59, and column 14, lines 1-5, which discuss 
identifying one or more control procedures associated with each risk element, these 
control procedures being stored in the database); 

c. assigning a weight to each said control procedure (See column 8, lines 46-52, 
column 9, lines 30-36, column 11, lines 49-67, and colunm 12, lines 8-17 and 47-65, 
which disclose assigning a weight to each of said control procedures); 

d. identifying a compliance rating for each said control procedure, said compliance 
rating chosen from a set of ratings including at least one rating identifying a non- fully 
compliant control procedure and at least one rating identifying fully compliant control 
procedures (See column 8, lines 45-67, column 9, lines 30-36, column 12, lines 23-42, 
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column 22, lines 23-29, and column 23, lines 1-18, which discloses detemiining a 
compliance rating for each control procedure, the compliance rating chosen from a set of 
ratings including at least one indicating a non- fully compliant control procedure and at 
least one indicating fully compliant control procedures). 

e. for each said control procedure having a non-fuUy compliant rating, generating an 
action plan, said action plan including a target date for at least one action listed therein 
(See at least column 8, lines 55-64, colunrn 22, lines 23-29, and column 23, lines 1-5, 
which discuss calculating a compliance score, this score being a function of said assigned 
weights and said compliance rating of said control procedures. See column 3, lines 34- 
37, column 9, lines 12-24, column 11, lines 49-53 and 60-67, colunrn 12, lines 1-5 and 8- 
24, column 13, lines 5-22, column 14, lines 22-47, and column 22, lines 23-39 and 63-65, 
which discuss the action plan, this action plan having target dates/times); and 
f calculating an expected compliance score for a future date, said expected 
compliance score being a function of said assigned weights, said fully compliant control 
procedures, and said action plan target dates for said non- fully complaint control 
procedures (See column 3, lines 34-37, column 8, lines 45-67, column 9, lines 12-24 and 
30-36, column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 8-24, column 13, lines 
5-22, column 14, lines 22-47, and column 22, lines 23-39 and 63-65, which discuss 
calculating an expected compliance score for an action plan, this action plan having target 
dates/times). 

17. As per claim 15, Weinstock et al. teaches a method wherein said action plan comprises a 
signal indicating whether said non-fuUy compliant rating is accepted or not accepted, said 
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expected compliance score further being a function of said non- fully compliant ratings which 
have been accepted (See column 8, lines 55-64, column 9, lines 1-5 and 5-24, and column 22, 
lines 23-37, which discuss for each control procedure not having a fully compliant rating, 
receiving a signal indicating whether the control procedure is accepted or not accepted. The 
expected compliance score is a function of non- fully compliant ratings, some of which have been 
accepted). 

18. As per claim 16, Weinstock et al. teaches a data processing system for managing risk, 
said system comprising 

a. a database (See column 6, lines 42-50, which discloses the system comprising a 
database); 

b. a processor coupled to said database, said processor being programmed to 
perform the steps comprising (See column 6, lines 42-50, which discloses the system 
comprising a processor coupled to a database. This processor performs steps): 

i. receiving a first signal identifying a set of risk elements, said risk elements 
being stored in said database (See at least column 1, lines 14-16, column 2, lines 
65-67, column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, lines 35- 
55, column 7, lines 45-50 and 59-67, and column 8, lines 1-18, which disclose 
identifying a set of risk elements, said risk elements being stored in said 
database); 

ii. receive a second signal identifying one or more control procedures 
associated with each said risk element, said control procedure being stored in said 
database (See at least colunrn 8, lines 5-10, 29-34, 45-48, and 53-55, column 13, 
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lines 42-59, and column 14, lines 1-5, which discuss identifying one or more 
control procedures associated with each risk element, these control procedures 
being stored in the database); 

iii. receive a third signal assigning a weight to each said control procedure, 
said weight being stored in said database (See column 8, lines 46-52, column 9, 
lines 30-36, column 11, lines 49-67, and column 12, lines 8-17 and 47-65, which 
disclose assigning a weight to each of said control procedures); 

iv. receive a fourth signal identifying a compliance rating for each said 
control procedure (See column 8, lines 45-67, column 9, lines 30-36, column 12, 
lines 23-42, column 22, lines 23-29, and column 23, lines 1-18, which discloses 
identifying a compliance rating for each control procedure); and 

V. calculate a compliance score, said compliance score being a function of 
said assigned weights and said compliance rating of said control procedures (See 
at least column 8, lines 55-64, column 22, lines 23-29, and column 23, hnes 1-5, 
which discuss calculating a compliance score, this score being a function of said 
assigned weights and said compliance rating of said control procedures). 
19. As per claim 17, Weinstock et al. teaches a data processing system wherein said 
compliance ratings comprise at least one rating identifying a non-fuUy compliant control 
procedure, said processor being further programmed to perform the steps comprising: 

a. for each said control procedure having a non- fully compliant rating, receiving a 
signal indicating whether said non-fiilly compliant rating is accepted or not accepted (See 
column 8, lines 55-64, column 9, lines 1-5 and 5-24, and column 22, lines 23-37, which 
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discuss for each control procedure not having a fully compliant rating, receiving a signal 
indicating whether the control procedure is accepted or not accepted); 

b. for each said non-fuUy compliant control procedure which is indicated as not 
accepted, receiving an action plan, said action plan including an expected target date for 
implementation and an expected compliance rating (See column 3, lines 34-37, column 9, 
lines 12-24, column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 8-24, column 13, 
lines 5-22, column 14, lines 22-47, and column 22, lines 23-39 and 63-65, which 
discusses for each non- fully compliant control procedure generating an action plan, this 
action plan having target dates/times); and 

c. generating one or more future expected compliance scores, said compliance 
scores being a function of said target dates, said assigned weights, and said expected 
compHance rating of said control procedures (See column 3, lines 34-37, column 8, lines 
55-64, column 9, lines 12-24, column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 
8-24, column 13, lines 5-22, column 14, lines 22-47, column 22, lines 23-39 and 63-65, 
and column 23, lines 1-5, which discuss the action plan and generating a future expected 
compliance score using these target dates/times, assigned weights, and expected 
compliance ratings). 

20. As per claim 1 8, Weinstock et al. teaches a data processing system further comprising a 
computer display coupled to said processor, said processor further being programmed to display 
said compUance scores on a computer display (See column 6, lines 42-50, which discusses a 
computer display. See at least column 16, lines 33-41, column 18, lines 20-25, column 20, lines 
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16-24, column 25, lines 33-37 and 51-53, and column 26, lines 34-38, which discuss displaying 
compliance scores on a computer display). 

Claim Rejections - 35 USC § 103 

21. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 4 and 5 are rejected under 35 U.S.C. 103(a) as being unpatentable over Weinstock 
et al. (U.S. 6,223,143) in view of Strategies and Tactics ("Consulting Services"). 

22. As per claim 4, Weinstock et al. discloses a method comprising calculating compHance 
scores for the target dates, these compliance scores being calculated based on information about 
the project input by the user (See column 3, lines 34-37, column 9, lines 12-24, column 11, lines 
49-53 and 60-67, column 12, lines 1-5 and 8-24, column 13, lines 5-22, column 14, lines 22-47, 
column 16, lines 50-56, and column 22, lines 23-39 and 63-65, which discuss calculating 
compliance scores for target dates based on user input). However, Weinstock et al. does not 
expressly disclose the step of tracking whether said expected compliance scores have been met, 
said tracking including calculating actual compliance scores for the target dates. 

Strategies and Tactics discloses implementing an action plan and tracking the actual 
performance of this action plan and whether the expected performance measures of the action 
plan have been met (See pages 5-7, which discuss implementing an action plan, said action plan 
having an expected outcome, and tracking an implemented action plan to see actual 
performance). 
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Both Weinstock et al. and Strategies and Tactics discuss assessing and managing risk 
through the implementation of alternative action plans that will minimize risk. It would have 
been obvious to one of ordinary skill in the art at the time of the invention to use tracked 
performance data as the data input into the system of Weinstock et al. by the user in order to 
make the tool more capable of predicting and quantifying risks facing a system by validating the 
results produced by the tool and using any variations foimd to tune it. 
23. As per claim 5, Weinstock et al. discloses calculating expected compliance scores for 
said target dates based on data input by the user and displaying original values along with newly 
determined values (See column 3, lines 34-37, column 9, lines 12-24, column 11, lines 49-53 and 
60-67, column 12, lines 1-5 and 8-24, column 13, lines 5-22, column 14, lines 22-47, column 16, 
lines 50-56, and column 22, lines 23-39 and 63-65, which discuss calculating expected 
comphance scores for target dates based on user input. See column 25, lines 50-53, which 
discusses displaying original values along with newly determined values). However, Weinstock 
et al. does not expressly disclose calculating actual compliance for the target date or displaying 
specifically expected compliance scores versus actual compliance. 

Stratgies and Tactics discloses a method further comprising calculating actual compliance 
for the target dates and displaying results (See pages 6-7, which discusses actual compliance for 
the target dates and displaying the results). However, Strategies and Tactics does not expressly 
disclose displaying said expected compliance scores versus said actual compliance. 

Both Weinstock et al. and Strategies and Tactics discuss assessing and managing risk 
through the implementation of alternative action plans that will minimize risk. It would have 
been obvious to one of ordinary skill in the art at the time of the invention to use tracked 
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performance data as the data input into the system of Weinstock et al. by the user in order to 
make the tool more capable of predicting and quantifying risks facing a system by validating the 
results produced by the tool and using any variations found to tune it. 

Furthermore, displaying theoretical versus actual data for comparison purposes is old and 
well known. It would have been obvious to one of ordinary skill in the art at the time of the 
invention to display the actual versus the expected scores for the risk assessment target date in 
order to increase the comprehension of the results by the user of the tool by using a graphical aid. 



24. No claims allowed. 

25. THIS ACTION IS MADE FINAL. Apphcant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

26. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 



Conclusion 
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Haimes ( Risk Modeling, Assessment and Manasement ) teaches the practice of 
identifying risks, modehng the risks and their control procedures, and quantifying these risks and 
control procedures. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Beth Van Doren whose telephone number is (703) 305-3882. 
The examiner can normally be reached on M-F, 8:30-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Tariq Hafiz can be reached on (703) 305-9643. The fax phone numbers for the 
organization where this apphcation or proceeding is assigned are (703) 305-7687 for regular 
communications and (703) 305-7687 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703) 308-1 1 13. 




bvd 

Febraary 24, 2003 



